DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QRWJ-VH9X-GW5V: GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

Vulnerability ID: GHSA-QRWJ-VH9X-GW5V
CVSS Score: 8.0
Published: 2026-07-06

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

TL;DR

Insecure HTTP redirect handling in the Coder control plane allows a compromised agent to spoof requests to other workspace agents, enabling cross-tenant file writes and arbitrary code execution.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918 (Server-Side Request Forgery)
  • Attack Vector: Network (AV:N)
  • CVSS: 8.0 (High)
  • EPSS Score: Not Available
  • Impact: Remote Code Execution (RCE) / Unauthorized File Access
  • Exploit Status: PoC (Proof of Concept)
  • KEV Status: Not Listed

Affected Systems

  • Coder Workspace Agent Client

Mitigation Strategies

  • Upgrade Coder deployment control plane and agent binaries to a patched version immediately.
  • Monitor workspace logs for unexpected redirection requests or unauthorized access attempts.

Remediation Steps:

  1. Identify all running Coder deployments and verify current versioning.
  2. Download and install the appropriate patch release based on your version stream (v2.34.4, v2.33.10, v2.32.9, or v2.29.19).
  3. Restart the coderd control plane daemon to enforce the client configuration changes.
  4. Configure log aggregators to alert on the string 'blocked workspace agent API request to unintended host'.

References


Read the full report for GHSA-QRWJ-VH9X-GW5V on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)